SPI & Dynamic Packet Inspection

N

netsider

Limp Gawd
Joined
Oct 12, 2004
Messages
466
It's been a while since I've read about networking in-depth, but I have a question. I was looking at a Buffalo airstation router here, and it says it has "SPI" and "Dynamic Packet Filtering" both. I've Google'd both, just to make sure before I posted this, and both of them are the same thing, and are used interchangeably most of the time on websites (like here). Is there a difference between both of these, that I'm missing? Why does the Buffalo AirStation router page list them like they're two different things? Just curious... :cool:
 
I'm guessing they're using the acronym SPI in the non-typical form for some odd reason since the majority of uses fall within the "Stateful Packet Inspection". Based off that second link it seems they are referencing Dynamic Inspection (Stateful Packet Inspection) and using SPI to reference non-Stateful packet processing (i.e. firewall rules). Most likely in an attempt to boost their feature set. This is why I moved out of the consumer realm along time ago. Snake oil salesman everywhere using many big words and throwing acronyms to upsell a product as if it has features uncommon elsewhere.

SPI is almost always directly referenced by people as Stateful, which has been common in almost all consumer gear for 10+ years, built-in, sometimes not even visible in the settings. All they are saying is they have Stateful Packet Inspection with Firewall capabilities allowing you to manually set what traffic can come in and what traffic can come out (source, destination, port). It doesn't maintain a table of current outgoing connections or connections coming in. However, their "Dynamic Packet Filtering" does the same damn thing.


*sigh*
 
Packet filtering < stateful packet inspection < deep packet inspection. The first two are now placebos since they only protect up to layer 4 when the attacks these days are occurring above layer 4.
 
"Placebos"...

A packet filter is still the first line of defense against spoofed and other technically incorrect traffic. Its benefit is very low complexity. DPI gear is so complex that it most probably has its own set of exploitable flaws.

Security is always best in layers. DPI doesn't make simple packet filters obsolete, at all.
 
You must log in or register to reply here.
Back
Top